Skip to content

Update dependency pip to v26 [SECURITY]#13

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-pip-vulnerability
Open

Update dependency pip to v26 [SECURITY]#13
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/pypi-pip-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 26, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
pip (changelog) ==18.1==26.1.2 age confidence

Path Traversal in pip

CVE-2019-20916 / GHSA-gpvv-69j7-gwj8

More information

Details

The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. A fix was committed 6704f2ace.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Improper Input Validation in pip

CVE-2021-3572 / GHSA-5xp3-jfq3-5q8x

More information

Details

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Command Injection in pip when used with Mercurial

CVE-2023-5752 / GHSA-mq26-g339-26xf

More information

Details

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pip's fallback tar extraction doesn't check symbolic links point to extraction directory

CVE-2025-8869 / GHSA-4xh5-x5gv-qwph

More information

Details

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pip Path Traversal vulnerability

CVE-2026-1703 / GHSA-6vgw-5pg2-w6jp

More information

Details

When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pip has an interpretation conflict due to handling both concatenated tar and ZIP files as ZIP files

CVE-2026-3219 / GHSA-58qw-9mgm-455v

More information

Details

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

CVE-2026-6357 / GHSA-jp4c-xjxw-mgf9

More information

Details

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


pip: Path traversal in console_scripts/gui_scripts entry point names allows installing scripts outside of target directory

CVE-2026-8643 / GHSA-wf93-45jw-7689

More information

Details

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

Severity

  • CVSS Score: 4.1 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pypa/pip (pip)

v26.1.2

Compare Source

v26.1.1

Compare Source

v26.1

Compare Source

v26.0.1

Compare Source

v26.0

Compare Source

v25.3

Compare Source

v25.2

Compare Source

v25.1.1

Compare Source

v25.1

Compare Source

v25.0.1

Compare Source

v25.0

Compare Source

v24.3.1

Compare Source

v24.3

Compare Source

v24.2

Compare Source

v24.1.2

Compare Source

v24.1.1

Compare Source

v24.1

Compare Source

v24.0

Compare Source

v23.3.2

Compare Source

v23.3.1

Compare Source

v23.3

Compare Source

v23.2.1

Compare Source

v23.2

Compare Source

v23.1.2

Compare Source

v23.1.1

Compare Source

v23.1

Compare Source

v23.0.1

Compare Source

v23.0

Compare Source

v22.3.1

Compare Source

v22.3

Compare Source

v22.2.2

Compare Source

v22.2.1

Compare Source

v22.2

Compare Source

v22.1.2

Compare Source

v22.1.1

Compare Source

v22.1

Compare Source

v22.0.4

Compare Source

v22.0.3

Compare Source

v22.0.2

Compare Source

v22.0.1

Compare Source

v22.0

Compare Source

v21.3.1

Compare Source

v21.3

Compare Source

v21.2.4

Compare Source

v21.2.3

Compare Source

v21.2.2

Compare Source

v21.2.1

Compare Source

v21.2

Compare Source

v21.1.3

Compare Source

v21.1.2

Compare Source

v21.1.1

Compare Source

v21.1

Compare Source

v21.0.1

Compare Source

v21.0

Compare Source

v20.3.4

Compare Source

v20.3.3

Compare Source

v20.3.2

Compare Source

v20.3.1

Compare Source

v20.3

Compare Source

v20.2.4

Compare Source

v20.2.3

Compare Source

v20.2.2

Compare Source

v20.2.1

Compare Source

v20.2

Compare Source

v20.1.1

Compare Source

v20.1

Compare Source

v20.0.2

Compare Source

v20.0.1

Compare Source

v20.0

Compare Source

v19.3.1

Compare Source

v19.3

Compare Source

v19.2.3

Compare Source

v19.2.2

Compare Source

v19.2.1

Compare Source

v19.2

Compare Source

v19.1.1

Compare Source

v19.1

Compare Source

v19.0.3

Compare Source

v19.0.2

Compare Source

v19.0.1

Compare Source

v19.0

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency pip to v26 [security] chore(deps): update dependency pip to v26 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate
renovate Bot deleted the renovate/pypi-pip-vulnerability branch March 27, 2026 01:36
@renovate renovate Bot changed the title chore(deps): update dependency pip to v26 [security] - autoclosed chore(deps): update dependency pip to v26 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch 2 times, most recently from 27df7c4 to 8313b4d Compare March 30, 2026 21:56
@renovate renovate Bot changed the title chore(deps): update dependency pip to v26 [security] Update dependency pip to v26 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency pip to v26 [SECURITY] Update dependency pip to v26 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency pip to v26 [SECURITY] - autoclosed Update dependency pip to v26 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate
renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch 2 times, most recently from 8313b4d to 3627f82 Compare April 27, 2026 23:26
@renovate
renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch from 3627f82 to db56d1a Compare May 6, 2026 18:28
@renovate
renovate Bot force-pushed the renovate/pypi-pip-vulnerability branch from db56d1a to 0faa43a Compare July 11, 2026 00:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants